Fantasy Hub Another Russian-based RAT-as-a-Service (MaaS)

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://zimperium.com/blog/fantasy-hub-another-russian-based-rat-as-m-a-a-s
• Blog Title: Fantasy Hub: Another Russian-based RAT-as-a-Service (MaaS)
• Suggested Section: generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md

🎯 Content Summary

What the post covers

Zimperium zLabs analyzes “Fantasy Hub,” an Android Remote Access Trojan commercialized as Malware‑as‑a‑Service (MaaS) on Russian‑language channels. The seller provides a Telegram bot for subscriptions/builds, detailed social‑engineering playbooks, and a full C2. The RAT focuses on device espionage (SMS, calls, contacts, media), live A/V via WebRTC, banking overlays, USSD/call abuse, and notification manipulation. No CVEs are involved; this is abuse of Android role...

🔧 Technical Details

Privilege consolidation via default SMS handler. Social‑engineer the user into granting the app the default SMS role; this single approval unlocks read/send/forward SMS and adjacent flows (e.g., contact/file interactions), enabling reliable 2FA interception and covert message exfiltration without multiple runtime prompts.

Runtime‑only payload decryption in native code. Hide the main payload in assets/metadata.dat; at runtime a native library reads it, applies a custom 36‑byte‑key XOR, then gzip‑decompresses it (zlib windowBits=31) and writes the result to disk, reducing static IoCs and hindering sandboxes with environment checks (e.g., root detection).

Covert live surveillance over WebRTC. Dynamically fetch WebRTC libs from C2, establish a peer connection, and stream camera/microphone in real time while maintaining a minimal foreground notification (“Live stream active”) so Android keeps the ses...

🤖 Agent Actions

I analyzed the blog and repository, reviewed multiple related HackTricks pages (≥5), and determined the best place to integrate the Fantasy Hub Android RAT tradecraft is the suggested page:

• src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md

What I added

• A new section “Fantasy Hub RAT-as-a-Service – tradecraft to reuse (Android)” covering:
  • Privilege consolidation via default SMS handler, with a concise code snippet to trigger ACTION_CHANGE_DEFAULT and hunting tips.
  • Native dropper staging: runtime-only XOR (36-byte repeated key) + gzip decompression (zlib windowBits=31) unpacker implemented in native lib (libmetamask_loader.so), including C pseudocode for XOR+inflate and defender hunting notes.
  • Covert live A/V via WebRTC: minimal setup pattern and detection heuristics (runtime lib downloads, foreground “Live stream active”).
  • Multi-brand impersonation via activity-alias plus permissive WebView + JavaScript bridge, with manifest and JS bridge mini-snippets and hunting cues.
  • Telephony/notification abuse and anti-forensics: USSD/calls, notification replies/deletes, and selfDestruct overview; list of notable command names observed.
  • Defender triage: static, behavioral, and network/config heuristics (assets/metadata.dat, inflateInit2(31), default SMS prompt, Telegram bot tokens/chat IDs, invisible_intercept_enabled key, sensor-beacon services).
• I updated the “## References” section to include:
  • Fantasy Hub: Another Russian-based RAT-as-a-Service (MaaS) (Zimperium)
  • Zimperium IOC – Fantasy Hub (2025-11)

Files modified

• src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md

Why this location

• It already centralizes mobile phishing/malware delivery tradecraft and similar banker/RAT TTPs (UPI/FCM, Socket.IO smuggling, Accessibility/ATS, etc.). Fantasy Hub techniques expand that page with modern SMS-role abuse, native-asset staging, WebRTC live-streaming, and multi-icon overlay phishing.

No duplicates

• I verified that default SMS handler role abuse, native XOR+gzip dropper, WebRTC streamer runtime downloads, and dense activity-alias banking overlays were not previously covered in this page. Related Android component/intent/WebView content exists in other pages but does not address these specific MaaS TTPs.

References added

• https://zimperium.com/blog/fantasy-hub-another-russian-based-rat-as-m-a-a-s
• https://github.com/Zimperium/IOC/tree/master/2025-11-FantasyHUB

All changes were implemented directly in the target file and the references section remains at the end as required.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 907
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://zimperium.com/blog/fantasy-hub-another-russian-based-rat-as-m-a-a-s

Content Categories: Based on the analysis, this content was categorized under "generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md".

Repository Maintenance:

• MD Files Formatting: 907 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0